Facebook Compromises Two-Factor Authentication

They say they want your phone number to enhance your security.
Then they sell it to advertisers.

Two-factor authentication is hardly a phrase to set your pulse racing, but it’s the latest craze in the tech world. It even has its own TLA, (that’s an acronym for Three-letter Acronym for all you non-geeks), namely “2FA”.

Passwords don’t work because most people are idiots. Wikipedia even lists the most common passwords year by year. It shows the passwords “password” and “123456” have vied for the top slot for the last seven years running. If your password happens to be on the 2017 list, I refer you to the start of this paragraph …

Passwords are essentially “1FA” – one-factor authentication – which is to say, something only you know (hopefully). The three “FA” levels are often put like this:

  • Something you know: like a password.
  • Something you own: like an access card or a mobile phone number.
  • Something you unique to you: like a fingerprint or a retina scan.

Obviously, two factors are better than one. If your Gmail password is stolen for example, how do you prove it to Google? Clicking the Send Me a Password Reset link is pointless as they’ll just email the link to the account you can no longer access. But if your 2FA is a mobile phone number, they can send you a reset code that you can enter online and take back control of your account.

(Yes, your mobile phone number really is unique since it’s prefixed by a country code.)

There are other uses for 2FA too. I sincerely hope your bank uses it before granting you online access to your accounts. The most common “second factors” here are the Entrust Datacard or Vasco’s Digipass.

A Datacard (not mine) and a Digipass (not mine either).

So all in all, 2FA is a Good Thing.

Except …

It now appears that Facebook are taking your second-factor ID (your mobile phone number) and adding it to the bundle of personal information they sell to advertisers. According to this report from the Electronic Frontier Foundation, the number you give to Facebook for security purposes “can become fair game for advertisers within weeks”.

It’s important to stress that this is NOT a problem with two-factor authentication.

[T]his is a problem with how Facebook has handled users’ information and violated their reasonable security and privacy expectations.

Yep, Facebook. Again. A few days after the EFF piece, Zuckerbergia admitted to a programming bug that delivered 50–90 million users’ accounts into the hands of hackers. According to their VP of Global Marketing Solutions (whatever the hell that is), Facebook were hacked by:

an “odourless, weightless intruder” … which Facebook could only detect “once they made a certain move.”

“Odourless” and “weightless” certainly wouldn’t describe any of the hackers I’ve ever met, and I’m really curious about what that “certain move” might be. Perhaps it’s one of these:

(Incidentally, did you know Michael Jackson actually patented a pair of shoes used in his famous anti-gravity lean? No, really. He did!)

With those shoes, I could do that too.

WTF …? Somehow we’ve gone from two-factor authentication to dance shoes. Whatever. The executive summary is: 2FA, good. Facebook, bad. But you probably knew that last bit already.

Leave a Reply

%d bloggers like this: